A recent study found that hackers can breach 93 percent of companies’ network perimeters to access their local network resources. Many of these organizations rely on enterprise VPNs to give their personnel authorized access to those resources.  But in recent years, enterprise VPNs have emerged as a significant risk for organizations that use them.

By definition, VPNs provide large numbers of users, from employees to third party partners and vendors, with convenient access to an organization’s network from the public internet. More VPN users mean the network attack surfaces expand even further, increasing the number of potential vulnerabilities across an enterprise’s network. Federal cybersecurity authorities warn that nation-state actors and adversaries exploit these vulnerabilities to gain entry to the network. Once inside, they are performing reconnaissance on vulnerable systems in an effort to obtain authentication credentials for further access to critical assets and sensitive information whose compromise could jeopardize daily operations and the ongoing viability of the organization.

Since the COVID-19 pandemic, enterprise VPNs have been taxed beyond their ability to safely accommodate the daunting number of remote workers who need to access apps, company files and network resources in order to collaborate and be productive. Further, enterprise VPNs must be available 24/7 to facilitate critical business functions, third party vendors and remote workers around the globe. Organizations are less likely to take their VPN offline for the latest patches and updates to avoid downtime, lost productivity and user frustration. The result is that the same system that provides legitimate access to your network becomes an illegitimate gateway to your most critical assets. In fact, a recent study found that 72 percent of IT professional are concerned that VPNs may jeopardize their ability to keep their IT environments secure. 

While any breach is bad, the worst are breaches of an organization’s critical assets — data, systems, and applications whose compromise poses an existential threat to the organization and its ability to function. Another study found that 99 percent of IT professionals believe an attack on their critical assets would have repercussions for their organizations as well for wider society.

What are an organization’s critical assets? For financial services, it could be an M&A database containing sensitive strategic information about several different companies; for a healthcare provider, it could be e-healthcare records; for a university, it could be classified research. For organizations that need to provide remote access, the use of an enterprise VPN exposes their crown jewels assets to tremendous risk.

Critical assets need an additional layer of security

For those mission-critical assets, organizations such as financial institutions, healthcare providers, critical infrastructure and others need an additional layer of security for when hackers breach the enterprise VPN.  One solution to consider is network obfuscation. Network obfuscation prevents critical digital resources from being visible on the public internet and even within the enterprise network. Vital data, records, and applications are cordoned off in an “invisible vault” that keeps unauthorized users from even knowing they exist. This reduces the number of attack surfaces since these assets are no longer visible to hackers. They can’t exploit them if they can’t see them.

To learn more about the vulnerabilities of enterprise VPNs and how adding network obfuscation to your cybersecurity strategy can help protect your most critical assets, download the ebook: Backstopping Your VPN and Other Attack Surfaces